Business case for Information Security program
-
Upload
william-godwin -
Category
Technology
-
view
503 -
download
1
description
Transcript of Business case for Information Security program
BUSINESS CASE FOR INFORMATION
SECURITY PROGRAM
Developed and Presented by: William Godwin 3/12/2014
© 2014
Background
Safeguards the company’s most important asset:
CORPORATE INFORMATION
Establishes a formal program and standard to:
Safeguard Confidentiality, Integrity, and Availability of information
Determine the company’s risk appetite
Categorize data and information assets
Establish appropriate security control baseline
Assess risk of compromise
Comply with governing regulations and corporate governance
Value Identify IT Operations as a business enabler
Establish security benchmarks and determine assessment targets capable of maturing as threats evolve and become more sophisticated
Aligns IT Services with the company’s mission
Delivers long-term information security strategy
Effectively mitigate threats and risks and reduce incidents
Drive scalable processes and IT solutions
Provides insight to…
Optimize IT operations budget management
Promote organizational structure to integrate program
Conducive to organizational maturity
Scope
Organization Position/Posture
Data categorization of critical departments
Risk Appetite
Determine company’s tolerance to risk exposure
Business Impact Analysis
Determine criticality of departments and supporting resources
Develop Strategy, Plan, Implement and Execute
Cultivate Continuous Improvement Opportunities
Organization Position/Posture
Develop strategy for implementation. Reference output from Data Categorization & Risk Appetite exercise (Ref. slide #6 & slide #7)
Garner support from organization leadership Large/Enterprise organizations may have multiple executives
Obtain operational leadership buy-in Operational Managers will need to be made aware of their roles
and expectations
Develop & establish corporate standards and requirements for information security
Data Categorization
Defines broad classes of information created, stored, and/or delivered by the company
Allows for logical groupings based on criticality to the business
Determines data sensitivity levels to unauthorized access, modification or loss of availability
Aids to … Establish security baseline for protecting sensitive data
Identify business exposure
Determine impact on company should data become compromised
Permit executives to organize priority based on criticality of data
Determine & Establish Risk Appetite
Company may implement appropriate level of
information security control based on the risk appetite.
Risk Appetite is determined by establishing the sensitivity
of data stored, processed or transmitted by an
information system. (Ref. slide #6)
Sensitivity is determined by understanding the criticality
of the data to the company’s mission or regulatory
requirements.
Business Impact Analysis
Categorize and analyze critical business
departments/divisions
Create priority list of most sensitive business functions
Create priority list of support resources
Human Resources
Information Technology Resources
Establish information security requirements
Identify and implement baseline security controls to reduce risk
Strategy, Plan, Implement & Execute Strategy
Identify desired service capability and control coverage – (Ref. slide #10)
Identify and gather regulatory requirements and corporate governance
Develop and execute strategic plan for program implementation
Planning for critical IT assets
Establish operation authority (typically an executive authorizes system to operate)
Document system Security Plan
Develop system IT Contingency Plan
Develop Configuration Management & Control Plan
Develop system Incident Response Plan
Implement security controls as specified within the security plan
Execute
Conduct threat assessment
Conduct initial Risk Assessment
Mitigate security exposure to acceptable levels
Conduct final security test to validate control implementation
Information Security Model
Model Terms & Glossary Capability: Defines “what” information security process or process areas or
disciplines.
Coverage: Defines the “amount” of control and timeline coverage should be applied.
Control: Managing obligations to the business, stakeholders, customers and demonstrating it.
Info Security
Mission & Goals
2
3
4
5
10
0%
50
%
75
%
25
%
Capability
Coverage
Optimal Path
(Timeline)
ROI & Cost-
efficiency
1
Risk & Compliance
Objectives
Control
0%
Capability Processes are … Coverage
1 Ad Hoc & Disorganized 0%
2 Repeatable (generally consistent pattern) 25%
3 Documented and communicated 50%
4 Monitored and measured 75%
5 Measured and improved 100%
Maturing to Proactive Posture Capability: Process Discovery and Re-engineering to support Information
Security program alignment with business and security requirements.
Coverage: Integrate required regulations and observe areas for control enhancement.
Control: Risk and Compliance based categorization and priority of information assets and processes.
The Degree and complexity of controls are driven by the enterprises risk appetite and applicable compliance requirements.
SEI, Carnegie Mellon 2008
Primary Drivers
Continuous Improvement Opportunities
Identify success/fail requirements
Identify metrics applicable to the organization. Examples
such as…
Total vulnerabilities
Residual risk
Total incidents
Change in vulnerabilities and incidents
IT system operational budget change
Conclusion
Aids organization leaders to identify and assign priority to
business units and supporting IT systems based on criticality
Enables effective financial planning for IT Operations and
Security
Ensures compliance with regulatory requirements and
governance
Enables effective management of risk to IT systems
Improve IT service capabilities through process maturity